IPFire is a modular opensource firewall distribution with a primary objective of security. IPFire employs a Stateful Packet Inspection (SPI) firewall, which is built on top of netfilter (the Linux packet filtering framework). The modular designs allows to extend basic functionality by installation of add-ons that can be easily deployed with the IPFire package management system - pakfire. Updates are digitally signed and encrypted.
During the installation of IPFire, the network is configured into different, separate segments (zones). These different segments may be enabled separately, depending on your requirements. Each segment represents a group of computers who share a common security level.
Green represents a "safe" area. This is where all regular clients will reside. It is usually comprised of a wired, local network. Clients on Green can access all other network segments without restriction. Red indicates "danger" or the connection to the Internet. Nothing from Red is permitted to pass through the firewall unless specifically configured by the administrator. Blue represents the "wireless" part of the local network. Since the wireless network has the potential for abuse, it is uniquely identified and specific rules govern clients on it. Clients on this network segment must be explicitly allowed before they may access the network.
According to IPFire ARM compatibility list, Raspberry PI 3B board is very well supported since IPFire 2.21. Therefore, I chose the Pi 3B board to run IPFire 2.21. Raspberry in version 3B is equipped with 1.2 GHz 64-bit quad-core ARM Cortex-A53 processor and 1 GB of RAM. It has integrated 2.4 GHz WiFi 802.11n (150 Mbit/s) on Broadcom BCM43438 chip and it also provides a single integrated 10/100 Ethernet port. The board offers two integrated network interfaces at all.
During the installation, we will assign Ethernet interface to Red segment. In accordance with documentation, a wireless interface should be assigned to the Blue zone. The installation process, however, does not offer combination of RED + Blue segment. If one wants to configure Blue zone for wireless interface, only the combination of Red + Green + Blue is available. The PI 3B boards, however, offers only two integrated ports. Therefore, we need to assign wireless interface to the Green segment.
Note: I provide my own IPFire 2.21 image created on Raspberry Pi 3B. Just copy the image to SD card and configure your Internet connection (Step 4).
ipfire-2.21-public.zip [2.1GB]
ipfire-2.21-public.zip.md5.txt [57B]
Image Credentials
root/test
admin/test
SSID = IPFire
WPA passphrase = Secret_passphrase
Installation Steps
1. Download and Extract IPFire Image
$ wget https://downloads.ipfire.org/releases/ipfire-2.x/2.21-core122/ipfire-2.21.2gb-ext4.armv5tel-full-core122.img.xz
$ xz -d ipfire-2.21.2gb-ext4.armv5tel-full-core122.img.xz
2. Copy IPFire image and Start Installation
$ sudo dd bs=4M if=ipfire-2.21.2gb-ext4.armv5tel-full-core122.img of=/dev/mmcblk0 status=progress conv=fsync
Note: The SD card with minimum capacity of 4GB is needed.
The image is configured for Serial console at default. We want to use hdmi output and USB Keyboard. Therefore, you must mount the first FAT32 partition (130MB) and change the SERIAL-CONSOLE=ON to OFF in the file uENV.txt
During the first boot, installation process is automatically started. Provide the configuration published in the IPFire installation steps. Once setup is complete, system reboots. Login to console with root account. Enter the password you have configured for the user root during installation.
3. Install hostapd with Pakfire
Connect your freshly installed IPFire box to the Internet via interface FastEthernet (Red). If you use PPoE to connect to the Internet, plug IPFire to your router which is configured with PPoE credentials. We will show configuration of IPFire for PPoE connection later in the tutorial.
We are going to install hostapd that is used to create AP.
# pakfire install hostapd
Change default interface blue0 in hostapd.conf to green0.
# sed -i 's/interface=blue0/interface=green0/g' /etc/hostapd.conf
Change default interface blue0 in /etc/init.d/hostapd to green0.
# sed -i 's/INTERFACE="blue0"/INTERFACE="green0"/g' /etc/init.d/hostapd
Change the default wpa passphrase IPFire-2.x to Secret_passphrase.
# sed -i 's/wpa_passphrase=IPFire-2.x/wpa_passphrase=Secret_passphrase/g' /etc/hostapd.conf
Reboot IPFire box with reboot command. After the boot hostapd should be running. Check with the ps command.
# ps -ef | grep hostapd
Picture 1 - Hostapd Daemon is Running
The wireless network with the SSID IPFire should be available now. We connect from any wireless device to the network via green interface (green0). The web server is providing the URL https://192.168.1.1:444 for connection. Use the username admin and password configured in installation step 6.
4. Internet Connection Configuration
We use PPPoE to connect to the Internet. Therefore, we need to reconfigure the red interface (FastEthernet) for this type of connection (Picture 2).
Picture 2 - IPFire Network Connection with RED and GREEN Segments
So far, we have set the static IP address 172.17.100.50/16 configured on the Fast Ethernet interface. If you do not use PPPoE (no connection credentials are needed), you should only set dynamic IP address on red interface. In both cases, login into IPFire console and enter the command setup.
# setup
Navigate to Networking and choose the option Address Settings. Select RED interface. Choose PPP DIAL UP option (Picture 3). In case, you do not use PPPoE, select the option DHCP.
Picture 3 - Configuring PPPoE Connection for RED Interface
Open your web browser and enter https://192.168.1.1:444. Navigate to System-> Dialup. Fill all the fields marked with char * (Picture 4). Save your profile with Save button.
Picture 4 - Configuring PPPoE Using WEB Interface
Navigate to System-> Home and select the profile (T-COM) (Picture 5). Click Connect button and reboot IPFire.
Picture 5 - Enabling PPPoE Connection
Once booted up, the new interface ppp0 should be configured with the IP address (Picture 6).
Picture 6 - Network Interfaces
Our Internet connection is working. You can also check the status of your connection using web interface (Picture 5).
5. Configure SSH Access
Enable SSH server. Navigate to System-> SSH Access and enable SSH Access (Picture 7).
Picture 7 - Enabling SSH Access
Now, we can connect with the command ssh.
# ssh root@192.168.1.1 -p 222
6. Backup IPFire Image
Remove SD card from Raspberry and backup your new IPFire image with the command:
$ sudo dd bs=4M if=/dev/mmcblk0 of=ipfire-2.21.2.img status=progress conv=fsyn
Image Credentials
root/test
admin/test
SSID IPFire
WPA passphrase = Secret_passphrase
End.
I make this tutorial on my raspberry pi 3B, and this get network is unrechable, and don´t recognice my wan address ip.
When writing to a device with 'dd' you will want to write to the base device not a partition.
The Micro SD card is not necessary visible as /dev/mmcblk*(1-9) as it is possibility at /dev/sd*(a-z) if you have it in a USB MicroSD converter.
sudo dd bs=4M if=ipfire-2.21.2gb-ext4.armv5tel-full-core122.img of=/dev/sdb status=progress conv=fsync
You want to write to /dev/sdb (SCSI disk A, SCSI disk B) not to /dev/sdb1 (SCSI disk B partition 1) etc..
Awesome, thank you very much. I couldn't get the image from ipfire site to work, but yours boots first time!
Hi!
Many thanks for sharing this very useful info but I couldn't make this work, tried every combination of R+G+B networks to no avail, no inbound or outbound traffic.
What I need: to connect the RPI 3B+ to ISP router via Ethernet and then filter incoming wireless clients that connect to the PI.
The default configuration is Green=Wireless, Red=Ethernet but what I need is the opposite. Unfortunately when I switch the order the systems hangs and it won't even boot and says something like "The green0 interface is not wireless".
Could you please help? Thanks in advance!